irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is the new irony is

T-Mobile doesn’t want my keypresses.

Today I tried to pay my phone bill and noticed that the T-Mobile website account associated with my current number had been deleted (presumably this happened when my plan was cancelled). This was unexpected, but only mildly frustrating. I went through the registration process, generated a new password in my password safe, and pasted it into the field.

Nothing happened. They were preventing pasting, presumably as some kind of demented ‘security’ measure.

Mildly irked, I typed in the generated password. It was only when I typed in a second time that I noticed I’d run over the maximum length and was losing the last character. But wait, my new password was the same length as the old one for my account – had I been getting cut off the entire time? I tried adding some gibberish – I wasn’t anywhere near the maximum length.

I looked at the generated password more closely. The last character – the one I couldn’t type. Dots connected and neurons fired. I fired up Chrome’s developer tools as a sense of bemused horror crept over me. I almost didn’t want to spend the time – it was so absurd, after all. It couldn’t be.

function keyDown(a){if(a.keyCode==86){a.preventDefault()}}

And yet it was. They weren’t blocking pasting – they were blocking all ‘v’ keypress.

I had a pretty big smile on my face at this point. This code would have been bad anywhere, but without any knowledge of their codebase and with an admittedly mediocre aptitude for JavaScript I had found the problem in perhaps fifteen minutes! The idea that a major US telephone company would feature it on their production account registration form was silly enough that I promptly tweeted about it.

Donations

Like my projects? I work on them in my spare time, and when I'm worrying about income, I have a lot less of that. Even a small donation means I have that much more time to make cool things for you to enjoy.